[INFO]
AnalystName=Cristi Dobos
AnalystEMailID=dobosc@comodo.com
Team=Romania
Date=08-FEB-2010
Type=TrojWare
Platform=Win32
SubType=GameThief
Family=Nilage
Variant=

[OVERVIEW]

TrojWare.Win32.Nilage is a password stealing trojan. It's main purpose is to steal account information from users playing a game in the Lineage series.

[TECHNICAL_DESCRIPTION]
In most cases, Win32.Nilage will possess the following behavior :

It creates an executable file on the victim machine in the "Windows" folder or one of its sub-folders. The file is renamed with a common sounding name such as "svchost.exe", "iexplorer.exe" or "rundl132.exe".

It also creates a start-up key for this executable, also with a common name that resembles Windows applications or other legitimate programs. This malicious process will then start automatically at every reboot and always run in the background.

It creates a DLL file on the infected system, in the "Windows" folder or a sub-folder, assigning it a random name. 

This file is registered through regsvr32.exe and used to hook Windows APIs after being registered under the "ShellExecuteHooks" registry key.

After infecting the system, it uses various techniques to steal user account information :

 monitors the active process window and records all user keystrokes. 
 monitors the launch of targeted game process and then intercepts user input.
 monitors specific server URLs and intercept traffic when the user accesses the "Retrieve lost password" function.

It records the stolen information in a plain or encrypted text file. The information is then emailed back to the attackers or posted on a website using a HTML form.

[SYMPTOMPS]

No visible symptoms.

[DISINFECTION]

Install and scan with Comodo AntiVirus to remove these threats.